I also strongly encourage the option to have longer certificate lifespan. If you’re concerned this does not work with your current API: well just add an optional parameter during request where one can specify their own validity period and only sign if it’s between 90 and 360 for example. No real need to change the API fundamentally there.
Automation is all well and good but you loose control. And certificates is something I definitely don’t want to loose control here. I thought you were all for a more secure web here. And what did Murphy say?
The main issue here is, that you advertise Let’s encrypt that everyone should use and is very easy. To some extent it is, but still you need to have a fundamental knowledge of SSL/TLS, X509, IT security and basic webserver operation to do so. As others mentioned this 90-days lifespan somewhat feels like “I know better then you” and I’m somewhat offended by that. And when you start taking control out of something, people will let it run without checking up on things, and this is far worse than having something like heartbleed: it’s having heartbleed and not fixing it.
Yes there’s stuff like heartbleed and Debian SSLKeys, but they took several years to detect. Nothing here to help you with 90-days certificates. And to be safe I have to renew the certificates anyway (and in case of SSLKeys I have to generate a new private key too).
Also these are problems in the implementation not the concept of SSL/TLS. Imposing a 90-days lifetime is a change to the concept to avoid problems of the implementation. So it’s like aspirin: helps you against head-aches but it doesn’t help if you have a brain-tumor causing your head-ache. So it would be much better to fix the brain-tumor than to numb the pain and ignore the tumor.
@raairb: finally someone is on the same page as me, that think installing gcc on a productive server, might not be the beast idea of all time. use acme-tiny (https://github.com/diafygi/acme-tiny). much cleaner and easier to understand - and audit myself. Generally: don’t use the official client unless you really have to